MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 c57956ac3cb0ec921a56c3c3a75a16fd0b8cc0b4fa25e7444aadefa9868af9ae. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


AgentTesla


Vendor detections: 10


Intelligence 10 IOCs YARA 6 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: c57956ac3cb0ec921a56c3c3a75a16fd0b8cc0b4fa25e7444aadefa9868af9ae
SHA3-384 hash: a65df34c18d3b03e164f03dbbded397d3408306abeb9121c8780bbc937b9ad378cc51d73f35147d61b1dd4751f67ab8c
SHA1 hash: f222c6f1b9550236da34017ad00a6c15a7acb509
MD5 hash: a62a449692e012e58e753bff74f2636a
humanhash: purple-harry-mobile-wyoming
File name:QUO_01072021.PDF(21KB).exe
Download: download sample
Signature AgentTesla
Create hunting rule
File size:648'704 bytes
First seen:2021-07-01 05:52:44 UTC
Last seen:2021-07-01 07:03:15 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'652 x AgentTesla, 19'463 x Formbook, 12'204 x SnakeKeylogger)
ssdeep 12288:SWxa+dJgTn+wQb9VBGlOQh3q8pF1RKLKQKvZZ09x+X1jr:nsXQ5VBEhqOFOLKQKvL0nkX
Threatray 6'242 similar samples on MalwareBazaar
TLSH 8FD412686AEC1364E3B79F3729F46184D63EF6293617E41D3482478A0BC7B81DEE0719
Reporter lowmal3
Tags:AgentTesla exe

Intelligence

File Origin
# of uploads :
2
# of downloads :
126
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
QUO_01072021.PDF(21KB).exe
Verdict:
Malicious activity
Analysis date:
2021-07-01 05:54:18 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/3fa72a9c-f86d-47fb-9968-274c171cd97a

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
AgentTeslaV3
Create hunting rule
Link:
https://www.capesandbox.com/analysis/169050/
Detection(s):
SecuriteInfo.com.Trojan.Siggen9.56514.981.8367.UNOFFICIAL
Create hunting rule

Result
Verdict:
UNKNOWN
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/8704f9a2-78ab-44cc-a7d2-293924b4cd30
Result
Threat name:
AgentTesla
Create hunting rule
Detection:
malicious
Classification:
troj.adwa.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/810334
Signature
.NET source code contains very large strings
Allocates memory in foreign processes
Found malware configuration
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Modifies the hosts file
Multi AV Scanner detection for submitted file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Writes to foreign memory regions
Yara detected AgentTesla
Yara detected AntiVM3
Behaviour
Behavior Graph:
Download SVG
Detection:
agenttesla
Create hunting rule
Link:
https://mwdb.cert.pl/sample/c57956ac3cb0ec921a56c3c3a75a16fd0b8cc0b4fa25e7444aadefa9868af9ae/
Threat name:
ByteCode-MSIL.Backdoor.Remcos
Create hunting rule
Status:
Malicious
First seen:
2021-07-01 01:07:14 UTC
AV detection:
6 of 46 (13.04%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=yv4vnlb4wdwjegswypb2owqw7ufyzqfu7is6orckvxx2tbuk7gxa._file
Verdict:
malicious
Label(s):
agenttesla
Create hunting rule
Similar samples:
16fc370e530afdde05fe41e38822b935747c784ac8b6bbc8a3f7623915aee083
AgentTesla
28df700cb8f6a7100d2cb20fcb51cd53dad822386d51701dbfbda945c4d2bd05
AgentTesla
3e48d983e3315501931c646f896a8189637f5b9d21c453b051cd17f2584ee3c4
AgentTesla
9805afbc4ec53bea5c08ab912445f1a9e34791eeaaba6c8ec0d50223e2c6005b
AgentTesla
a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd
AgentTesla
a997db748e940751ad67b16d4d58b0a4684c4106dd751f52df9d49bd67b9e9ea
AgentTesla
bb739ce9108a4b006bef55dd1e9d2495e482dacef0bb081a71aa946c95634080
AgentTesla
da6c75ea9a77810c91f9376280a0c7c0a28d64aabeba095b53b2c026be24a41f
AgentTesla
dd5a14637f0373f0833e003675e13c4039423d402013d89d85ea345c5d2df963
AgentTesla
e9bd86ab3129da3447a70bac66feb2f90f7829e5b4595cff15a31a45b1cf82f7
AgentTesla
+ 6'232 additional samples on MalwareBazaar
Result
Malware family:
agenttesla
Create hunting rule
Score:
  10/10
Tags:
family:agenttesla keylogger spyware stealer trojan
Link:
https://tria.ge/reports/210701-rwpshgc6zn/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetThreadContext
Drops file in Drivers directory
AgentTesla Payload
AgentTesla
Unpacked files
SH256 hash:
a56d21510861bab848c414db98e08eb95ce44f6b3c697b3c33ba2279ab9bbe72
MD5 hash:
365327ab58ba02b2e9935ebbdd85c25b
SHA1 hash:
f4c1feff97f48c16b7ea86a169bbbfff9f6b28a5
Link:
https://www.unpac.me/results/6d8da27f-0d5c-4f24-8c5f-6551ed792822/
SH256 hash:
5bede9eedf6ae6df5a9d587c116c9583b31474c159c2b53486b000093cb3fde6
MD5 hash:
072eeac61b35d3f09edee4ff4f80f52d
SHA1 hash:
696fd9905a47e526470c2e234fef32f1ec1b74ad
Link:
https://www.unpac.me/results/6d8da27f-0d5c-4f24-8c5f-6551ed792822/
SH256 hash:
8af433874b78acb3d264b481b8e1bcd45dd87c2da4cdf7efb307551b4787f478
MD5 hash:
d7a0ffbf80d3bee13df691729854ca6d
SHA1 hash:
42f38ec5a621f359562bbc51e27ff4c201aefa46
Link:
https://www.unpac.me/results/6d8da27f-0d5c-4f24-8c5f-6551ed792822/
SH256 hash:
c57956ac3cb0ec921a56c3c3a75a16fd0b8cc0b4fa25e7444aadefa9868af9ae
MD5 hash:
a62a449692e012e58e753bff74f2636a
SHA1 hash:
f222c6f1b9550236da34017ad00a6c15a7acb509
Link:
https://www.unpac.me/results/6d8da27f-0d5c-4f24-8c5f-6551ed792822/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/c57956ac3cb0ec921a56c3c3a75a16fd0b8cc0b4fa25e7444aadefa9868af9ae

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:ach_AgentTesla_20200929
Create hunting rule
Author:abuse.ch
Description:Detects AgentTesla PE
Rule name:MALWARE_Win_AgentTeslaV3
Create hunting rule
Author:ditekSHen
Description:AgentTeslaV3 infostealer payload
Rule name:pe_imphash
Create hunting rule
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash
Rule name:win_agent_tesla_v1
Create hunting rule
Author:Johannes Bader @viql
Description:detects Agent Tesla

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Malspam

AgentTesla

Executable exe c57956ac3cb0ec921a56c3c3a75a16fd0b8cc0b4fa25e7444aadefa9868af9ae

(this sample)

  
Delivery method
Distributed via e-mail attachment
Cape
Cape
https://www.capesandbox.com/analysis/169050/

Comments